Episteme

Mike's random thoughts and ramblings

The real threat of identity theft...

A friend recently sent me an email that warned me that I had my phone numbers on the bottom of my email signature - she was worried for me because "you can't be too careful with all the identity theft going on". And, while I've yet to really think of a threat scenario where someone knowing my Skype-In number could cause the compromise of my NPPI, I knew I had to reflect on ID theft for a minute.

And then I read this post over at Sunnet Beskerming about a recent major ID breach. From the post:

"Continuing a trend of employees stealing valuable data, an employee at a Fidelity National Information Services subsidiary at some time prior to May 2007 stole more than 2 million records that contained a range of personal, financial account, and credit card data for users of Fidelity services."

With all the people who worry about technical ID theft (like the TJX breach), I think that this type of theft is likely far more prevalent. It reminds me of an article that Schneier wrote a few years ago in Dr. Dobbs on Attack Trees. It was a relatively overcomplexificated article for a really simple theme:

Intelligent and rational attackers will always use the lowest cost, least complex attack vector.

Thus, if you're trying to steal data, and you have two choices: 1) Do a major Sneakers-level social engineering attack, or; 2) just pay the insider a few hundred bucks; a decent attacker will always pay the few hundred bucks.

The technical attack is always cool, but it's the simple attack that takes the day almost every time.

Share this post

About the author

Michael Murray

Michael Murray